Author: jgardou Date: Wed Oct 8 19:50:14 2014 New Revision: 64619 URL: http://svn.reactos.org/svn/reactos?rev=64619&view=rev Log: [NTOS/SE] - Correctly reference/dereference token object when the set token is already in use. Modified: trunk/reactos/ntoskrnl/se/token.c Modified: trunk/reactos/ntoskrnl/se/token.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/token.c?rev=64… ============================================================================== --- trunk/reactos/ntoskrnl/se/token.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/token.c [iso-8859-1] Wed Oct 8 19:50:14 2014 @@ -243,19 +243,28 @@ if (OldToken == NewToken) { /* So it's a nop. */ - PsDereferencePrimaryToken(OldToken); + *OldTokenP = OldToken; return STATUS_SUCCESS; } Status = SepCompareTokens(OldToken, NewToken, &IsEqual); if (!NT_SUCCESS(Status)) { + *OldTokenP = NULL; PsDereferencePrimaryToken(OldToken); return Status; } - PsDereferencePrimaryToken(OldToken); - return IsEqual ? STATUS_SUCCESS : STATUS_TOKEN_ALREADY_IN_USE; + if (!IsEqual) + { + *OldTokenP = NULL; + PsDereferencePrimaryToken(OldToken); + return STATUS_TOKEN_ALREADY_IN_USE; + } + /* Silently return STATUS_SUCCESS but do not set the new token, + * as it's already in use elsewhere. */ + *OldTokenP = OldToken; + return STATUS_SUCCESS; } /* Mark new token in use */